In this short series of articles, I am updating materials I wrote for Chapter 28 (\u201cSecurity Policy Guidelines\u201d) of _The Computer Security Handbook, 4th Edition_ . This first column starts with recommendations on how to frame security policies.How should one write security policies? Should they be suggestions? Orders? Positive? Negative? I think that policies should be definite, unambiguous and directive. In addition, all policies should have (preferably optional) explanations for the reasons behind them.Orientation: Prescriptive and proscriptiveSecurity policies should be written with clear indications that all employees are expected to conform to them. Language should be definite and unambiguous; for example, \u201cAll employees must\u2026\u201d or \u201cNo employees shall\u2026\u201dSome policies require people to do something - these are _prescriptive_; for example, \u201cEmployees must follow the password procedures defined by the Information Protection Group at all times.\u201dOther policies prohibit certain actions - these are _proscriptive_; for example, \u201cNo employee shall make or order illegal copies of proprietary software under any circumstances.\u201dWriting styleEach policy should be short. Simple declarative sentences are best; writers should avoid long compound sentences with multiple clauses. Details of implementation are appropriate for standards and procedures, not for policies. Policies can refer users to the appropriate documents for implementation details; for example, \u201cPasswords shall be changed on a schedule defined in the _Security Procedures_ from the Information Protection Group.\u201dReasonsFew people like to be ordered about with arbitrary rules. Trying to impose what appear to be senseless injunctions can generate a tide of rebellion among employees. It is far better to provide explanations of why policies make sense for the particular enterprise; however, such explanations can make the policies tedious to read for more experienced users. A solution is to provide optional explanations. One approach is to summarize policies in one part of the document and then to provide an extensive expansion of all the policies in a separate section or a separate document. Another approach is to use hypertext, as explained in an article to follow.